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Abstract: Since the 1980s, two approaches have been developed for analyzing 
security protocols. One of the approaches relies on a computational model 
that considers issues of complexity and probability. This approach captures a 
strong notion of security, guaranteed against all probabilistic polynomial-time 
attacks. The other approach relies on a symbolic model of protocol executions 
in which cryptographic primitives are treated as black boxes. Since the seminal 
work of Dolev and Yao, it has been realized that this latter approach enables 
significantly simpler and often automated proofs. However, the guarantees that 
it offers have been quite unclear. 

For more than twenty years the two approaches have coexisted but evolved 
mostly independently. Recently, significant research efforts attempt to develop 
paradigms for cryptographic systems analysis that combines the best of both 
worlds. There are two broad directions that have been followed. Computational 
soundness aims to establish sufficient conditions under which results obtained 
using symbolic models imply security under computational models. The di¬ 
rect approach aims to apply the principles and the techniques developed in the 
context of symbolic models directly to computational ones. 

In this paper we survey existing results along both of these directions. Our 
goal is to provide a rather complete summary that could act as a quick reference 
for researchers who want to contribute to the field, want to make use of existing 
results, or just want to get a better picture of what results already exist. 
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Un panorama sur les methodes symboliques 
dans l’analyse calculatoire des systemes 
cryptographiques 

Resume : Depuis les annees 80, deux approches ont ete developpees pour 
l’analyse des protocoles de securite. L’une de ces approches repose sur un rnodele 
calculatoire qui prend en cornpte les probabilites et la complexite algorithmique. 
Cette approche permet de definir une notion tres forte de securite, garantissant 
contre n’importe quelles attaques probabilistes et polynomiales. L’autre ap¬ 
proche repose sur une modelisation symbolique des executions du protocole, oil 
les primitives cryptographiques sont traitees comrne des boites noires. Depuis 
le travail precurseur de Dolev et Yao, il a ete demontre que cette approche 
permet d’obtenir des preuves de securite beaucoup plus simples et souvent au- 
tomatiques. Cependant, le niveau de garanties offert n’est pas clair. 

Depuis plus de vingt ans, les deux approches ont evolue de maniere plutot 
independante. Des travaux de recherche recents cherchent a developper des 
techniques pour combiner le meilleur des deux approches. Deux directions prin- 
cipales ont ete abordees. La correction calculatoire a pour but d’etablir des 
conditions suffisantes pour que les resultats obtenus dans les modeles symbo¬ 
liques impliquent immediatement des garanties dans les modeles calculatoires. 
L 'approche directe cherche a applicjuer directement aux modeles calculatoires les 
techniciues developpees dans le contexte des modeles symboliques. 

Dans cet article, nous decrivons les resultats existants autour de ces deux 
axes. Notre but est de proposer un panorama le plus complet possible qui pourra 
servir a donner de maniere synthetique un apergu sur les resultats du domaine. 

Mots-cles : protocoles de securite, methodes formelles, cryptographie, abs¬ 
traction, etat de Part 
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1 Introduction 

Background. Security protocols are short distributed programs designed to 
achieve various security goals, such as data privacy and data authenticity, even 
when the communication between parties takes place over channels controlled by 
an attacker. Their ubiquitous presence in many important applications makes 
designing and establishing the security of cryptographic protocols a very impor¬ 
tant research goal. Two distinct approaches that have evolved starting with the 
early 1980’s attempt to ground security analysis of protocols on firm, rigorous 
mathematical foundations. These two approaches are known as the computa¬ 
tional (or the cryptographic) approach and the symbolic (or the Dolev-Yao, or 
the formal methods) approach. Each approach relies on mathematical models 
for the executions of protocols/primitives in adversarial environments, formally 
define security properties expected from cryptographic systems, and develop 
methods for rigorously proving that given constructions meet these require¬ 
ments. 

The central features of the computational approach are detailed, bit-level 
models for system executions and a powerful adversary: security is assessed 
against arbitrary probabilistic polynomial time machines. It is generally ac¬ 
knowledged that security proofs in this model offer powerful security guarantees. 
A serious downside of this approach however is that proofs for even moderately- 
sized protocols are usually long, difficult, tedious, and highly error prone. 

In contrast, symbolic methods employ a highly abstract view of the execu¬ 
tion where the messages exchanged by parties are symbolic terms. Furthermore, 
primitives are assumed absolutely secure, which in turn leads to severe restric¬ 
tions on the power of the adversary. For instance, it is postulated the plaintext 
underlying a ciphertext can only be recovered if the adversary has or can derive 
the appropriate decryption key. The resulting models are considerably simpler 
than those of the computational approach, proofs are therefore also simpler, 
and can sometimes benefit from machine support. An important problem with 
this approach is that the high level of abstraction renders unclear the security 
guarantees that this approach offers. 

A recent synergy. Due perhaps to the widely different set of tools and tech¬ 
niques, the two approaches have coexisted and developed independently for 
many years. The lack of interaction between the two communities also meant 
that the relation between models, security results and guarantees using the two 
approaches was only superficially understood. Abadi and Rogaway were the 
first to demonstrate that establishing close relations between the models is not 
only possible, but also that it holds significant promise. Through their work it 
became clear that it is possible to employ the tools and methods specific to the 
symbolic approach to directly obtain computational security guarantees. The 
crucial implication is that such guarantees can be obtained without making use 
of the typical computational proofs. This realization motivated a significant 
amount of follow-up work. We now know of several different approaches that 
leverage on technologies specific to the symbolic approach to simplify, avoid, or 
simply improve the rigorousness of computational proofs. The aim of this paper 
is to survey the plethora of papers that tackle this problem and briefly summa¬ 
rize their contribution. We hope that this survey will help researchers working 
in this field to get a better picture of all the different results. In addition, this 
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survey should act as a fast reference for those researchers who want to enter the 
field or want to make use of existing results. 

This survey. Existing results that span the gap between computational and 
symbolic security fall along two general directions. The first approach is known 
as the “computational soundness” approach. Here, the idea is to show that un¬ 
der certain conditions symbolic models are sound abstractions of cryptographic 
models, w.r.t. certain security properties. The second direction is called the “di¬ 
rect approach”. In this line of research symbolic methods are applied directly to 
computational models. Although we survey both of these directions, we place 
more emphasis on computational soundness. This line of research is the ’’older” 
of the two, and had received significantly more attention. Next we describe the 
structure of our paper. 

Computational soundness. Research on computational soundness was ini¬ 
tiated by Abadi and Rogaway H- They considered the case of a passive 
adversary that eavesdrops on communication between honest parties. The basic 
question that they answer is under which conditions messages that are equiva¬ 
lent symbolically are also equivalent computationally. The setting they consider 
only uses symmetric encryption. Follow-up work treats variations of this ques¬ 
tions with respect to different notions of symbolic equivalence, different sets of 
primitives, slightly more powerful adversaries, and within the context of par¬ 
ticular applications. We describe the results for the passive adversary case in 
Section [5| 

In Section [3] we survey results on computational soundness in the presence 
of active adversaries. These are adversaries who have absolute control over the 
communication network, and who may actively interfere with the execution of 
the protocol. There are two main approaches and a few variations and general¬ 
izations that we discuss. All of these are based on faithfulness results that show 
deep connections between computational and symbolic executions of protocols: 
essentially, assuming appropriately strong secure implementations, the actions 
of a computational adversary do not go beyond those of a symbolic one. One set 
of results that we describe in Section cm and Section cm are based on so-called 
trace mapping lemmas. Such lemmas state that each computational execution 
trace is the image of a symbolic execution. Using trace mapping, certain se¬ 
curity properties proved using symbolic models find immediate translation in 
computational ones. A recent result described in Section IXTH goes even further: 
not only traces can be transferred but it is shown that whenever two symbolic 
processes are observationally equivalent then the corresponding computational 
processes are computationally indistinguishable. This extends the scope of such 
results to an even larger set of security properties. 

A second important direction uses the concept of simulatability. Roughly 
speaking, in such settings security is defined by relating a real system with an 
idealized version of the same system. The idea is to show that for any attack 
against the real system there exists an analogous attack against the idealized 
one. Since the ideal system is secure by construction it follows that no attack 
is possible against the real system. The desired connection between symbolic 
and computational models can therefore be obtained by showing a simulata¬ 
bility relation between an idealized, symbolic cryptographic system and a real, 
cryptographic implementation of such a system. In Section IM.4I we give some 
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background regarding the general notion of simulatability. Then, in Section f3.5l 
we describe how simulatability had been applied in the context of a crypto¬ 
graphic library. In the same section we describe various applications of the 
simulatable cryptographic library. 

The direct APPROACH. In the remaining sections we describe a different 
direction for getting “the best of both worlds”. These approaches aim at apply¬ 
ing symbolic techniques directly to obtain computational security guarantees, 
without making use of abstract models. 

One direction that we describe in Section Q] is to design logics with seman¬ 
tics given in terms of computational models. Proofs can then be carried out 
using well-designed proof rules which are shown to be computationally sound. 
Such a logic is obviously not complete and there might be security properties 
which hold but cannot be proven using the axioms of the logic. Nevertheless, 
the proof rules turn out to be powerful enough to allow proofs of a large range 
of properties and protocols. In the same section we describe work on a type 
system which ensures computational security. Then, in Section [5] we discuss 
a second technique which consists in introducing symbolic calculi that can be 
(provably) securely implemented at the cryptographic level. These symbolic cal¬ 
culi do not make explicit use of cryptography but provide high-level constructs 
such as confidential and authentic channels which are implemented using a se¬ 
cure cryptographic protocol. Finally, in Section [H] we discuss work using proof 
assistants for cryptographic proofs. We describe work that relies on the general 
purpose proof assistant Coq which mainly checks the correctness of the proof as 
well as work on the special purpose tool CryptoVerif which moreover achieves 
a high level of automation. Concluding remarks can be found in Section 0 

2 Computational soundness: the passive adver¬ 
sary case 

The most basic setting for computational soundness is that of passive adver¬ 
saries who can only observe the network traffic but cannot interfere with the 
execution of the protocol. This is the setting considered in seminal result of 
Abadi and Rogaway who were the first to show that links between symbolic and 
computational models can be established IAROOIUrMI . We give the details 
of their work in Section rm and survey the many extensions that followed in 
Section IP 

2.1 The Abadi-Rogaway result 

The result of Abadi and Rogaway shows that if a symbolic notion of secrecy of 
data that occurs in a message is satisfied, then a computational notion is also 
satisfied [XROOIIXRO 2 ) . Their result holds for a class of messages constructed 
as in the following section. 

2.1.1 Formal expressions and equivalence. 

On the formal side, one considers a simple grammar for expressions. The expres¬ 
sions consider two base types for keys and Booleans which are taken from two 
disjoint sets Keys and Bool. Keys and Booleans can be paired and encrypted. 
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M,N::= expressions 

K key (AT £ Keys) 

i bit (i £ Bool) 

(M, N) pair 

{M}k encryption (K £ Keys) 

For example the formal expression (AT i, {(0, K 2 )}k 1 ) represents a pair: the first 

component of this pair is the key AT i, the second, the encryption with key K\ 
of the pair consisting of the boolean constant 0 and the key Ad- 

Before defining the equivalence relation between terms we first need to define 
the deducibility relation K Intuitively, M b N, if the adversary can learn the 
expression N from the expression M. Formally, b is the smallest relation, such 
that 

M b M M b 0 Mbl 
if M b Ni and M b N 2 then M b (Ad, Ad) 
if M b (Ad, Ad) then M b Ad and M b N 2 
if M b {N}k and M b K then M b N 
if M b N and M b K then M b {N}k 

For example, if M = (ATi, {(0, K 2 )}k 1 ), then we have that M b K 2 . Moreover, 
M b 1, as the constants 0 and 1 are always known to the attacker. 

The equivalence relation between terms is based on the equality of the pat¬ 
terns associated to each term. A pattern represents the adversary’s view of a 
term. Patterns extend the grammar defining terms by the special symbol □. 
The pattern of a term replaces encryptions for which the key cannot be deduced 
by □. This idea is formally captured by the following function p. The function 
takes as arguments a term and a set T of keys and is defined inductively as 
follows. 

p(K, T ) = I< ( K £ Keys) 

p(i,T) = i (i £ Bool) 

p((M,N),T) = (p{M, T),p(N, T)) 

„({«}*, T, = { 

The pattern of an expression M is defined by 

pattern(M) = p(M , {K £ Keys | M b A'}). 

For instance pattern((K 1 , {(0, {1 }k 2 )} Ki }) = (Ad, {(0, d)}^). 

Furthermore, expressions M and N are formally indistinguishable, written 
M = N if and only if pattern(M) = pattern(N)cr, where er is a bijective 
renaming of keys. For example, we have that 0^1, K 0 = K i, {0}/^ = {l}/q, 
and (K 0 ,K 0 ) ^ (Ad, Ad). 

2.1.2 Computational setting and hypotheses on the implementation. 

In the computational setting, one reasons at the level of bitstrings and algo¬ 
rithms executed on Turing Machines, rather than on abstract terms. Expres¬ 
sions are interpreted as bitstrings by instantiating each of the symbolic oper¬ 
ations (including the constants) via appropriate algorithms. In particular we 
assume a computational pairing function that takes as input two bitstrings mi 
and m 2 and outputs their concatenation (mi,m 2 ). The function is such that 
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m\ and m 2 are easily extractable from ( 7711 , 7712 ). Furthermore, we use a con¬ 
crete encryption scheme, which is a triple of polynomial time algorithms 1C, £, T> 
for key generation, encryption and decryption respectively. The key generation 
algorithm is parameterized by a security, or complexity parameter 77 G 1 *. Intu¬ 
itively, 77 defines the key length. As expected we require that T> k (£k{m, r)) = m 
for any k G Klifj, message to, and random bitstring r (that represents the coins 
of the probabilistic encryption algorithm). 

The Abadi-Rogaway result relies on a security notion for encryption schemes 
termed “type-0” in the original paper lAROOj . Here, we call schemes that satisfy 
this notion, which we recall bellow, simply secure. Informally, secure schemes 
hide all information about encrypted plaintexts (including their length) and hide 
all information about the encryption key. This notion is significantly stronger 
than more standard ones which allow for ciphertexts to reveal the length of the 
underlying plaintext as well as partial information about the encryption key. 
The stronger assumption is used for simplicity as the Abadi-Rogaway framework 
can be further refined to only rely on the more standard notions. 

An encryption scheme is secure if for any security parameter 77 and any 
probabilistic polynomial time Turing machine A (the adversary) the advantage 

Adv(A) = Pr [k,k' K.{jq) : A £k ^’ £k '('\r]) = 1] — 

Pr[k 4- K.{rj) : y^(°)AHo) ( 7? ) = !] 


R 

is a negligible function of 77 . Here, x <— D denotes the random sampling of an 
element of distribution V and A° is the Turing Machine A that has access to a 
set of oracles O. Intuitively, one requires that an adversary cannot distinguish 
the case where he is given two encryption oracles encrypting with two different 
keys from the case where he is given twice the same encryption oracle always 
encrypting the constant bitstring representing 0 with the same key. Note that 
this security under this notion implies that encryption needs to be randomized, 
so that an adversary does not see identical answers when confronted with the 
second pair of (identical) oracles. In (AR 02 j . the authors provide constructions 
for such schemes from standard cryptographic assumption. 

A recurrent theme in computational soundness is that of acyclic expressions. 
The reason is that an encryption scheme respecting the above security definition 
may be insecure as soon as the adversary is given a key cycle. We say that a key 
K 1 encrypts a key K 2 in a formal expression M if M contains a subexpression 
{A^}if 1 and A " 2 occurs in N. In this way any expression M defines a binary 
relation encrypts on keys. We say that an expression contains a key cycle if and 
only if the corresponding encrypts relation is cyclic. For instance M\ = {K}k 
contains a key cycle as K encrypts K. In M 2 = {{A'i }k 2 }k 3 we have that 
K 3 encrypts A'i, K 3 encrypts K 2 and A ' 2 encrypts A'i and hence M 2 does not 
contain any key cycle. In Abadi and Rogaway’s main result, key cycles are 
therefore forbidden. Similar conditions can be found in most soundness results. 
To better understand the problem of key cycles suppose that S£ = (KQ,£,T>) 
is a secure encryption scheme and let S£' = {K.Q',£',V) be defined as follows: 


K.Q' = KG, £' k (m,r) 


£k{m, r) if to 7 ^ k 
(const, k) if to = k ’ 


J D fc (c) if c ^ (const, k) 
y k if c = (const, k) 
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where const is a constant such that for any key k, the concatenation const • k 
does not belong to the set of possible ciphertexts obtained by £. Obviously, if 
the attacker is given a key cycle of length 1, e.g., £' k (k,r), the attacker directly 
learns the key. It is also easy to see that S£ 1 is a secure encryption scheme as it 
behaves as S£ in nearly all cases (in the security experiment the adversary can 
make a query for encrypting k with itself only with negligible probability). 

The notion of computational indistinguishability requires that an adversary 
cannot distinguish two (families of) distributions, with better than negligible 
probability. Let V = {V v } and V = {T>' v } be two families of probability 
distributions. T> and D’ are computationally indistinguishable, written T> rj 
D’ if for any p and any probabilistic polynomial time Turing machine A, the 
advantage 

Adv(A) = Pr[x Vrj : A(p, ar) = 1] — Pr[cc V^ : A(p, x) = 1 ] 
is a negligible function of p. 

2.1.3 Interpretation of formal expressions and soundness result. 

The Abadi-Rogaway result links the notion of pattern equivalence on expres¬ 
sions defined in the previous section with an appropriate notion of computa¬ 
tional equivalence defined on distributions. These distributions are associated 
to expressions using the following algorithms that convert formal expressions 
into bitstrings. 

Bitstrings are tagged using types “key”, “bool”, “pair” and “ciphertext”. 
The Initialize procedure uses 1C to generate actual keys for each of the key 
symbols that occurs in M (that is for each key K £ Keys(M)). Then, then 
Convert procedure implements encryption using algorithm £. 

Initialize,, (M) 

for K £ Keys(M) do t(K) IC(p) 

Convert (M) 

if M = K (K £ Keys) then 
return (r(K),“key”) 
if M = b {b £ Bool) then 
return (b, “bool”) 
if M = (Mi, M 2 ) then 

return ((Convert(Afi), Convert(M 2 )), “pair”) 
if M = {M\]k then 
x Convert (Mi) 

V St(k)(x) 

return ( y , “ciphertext”) 

The Initialize and Convert procedures associate to a formal term M a family 
of probability distributions [M] = {[A/],^}. 

Abadi and Rogaway’s main result is that for any formal expressions M and N 
that do not contain key cycles, whenever the computational interpretation of the 
terms uses a secure encryption scheme (as defined above), then M = N implies 
that [M| Rs [AT]. In other words, they show that pattern-based equivalence is 
a sound abstraction of cryptographic indistinguishability. 
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2.2 Extensions of the Abadi-Rogaway result 

The initial result of Abadi and Rogaway has given rise to many extensions. Some 
of these extensions consider the question of completeness of their logic. Other 
extensions consider different implementations of encryption (with variants of 
the initial patterns) as well as other cryptographic primitives. 

2.2.1 Completeness of the Abadi-Rogaway logic. 

In IMW021 lMWf)4a,j , Micciancio and Warinschi show that the Abadi-Rogaway 
logic is not complete as presented in the original paper. Here, by complete¬ 
ness we mean that M ^ N implies that [M] ^6 [A], i.e., whenever two formal 
expressions are not equivalent, then the computational interpretation of these 
two messages should be distinguishable. Micciancio and Warinschi exhibit a 
counter-example by constructing a secure encryption scheme and two symbolic 
expressions that are not symbolically equivalent, which yet give rise to indistin¬ 
guishable probability distribution ensembles. 

They show that completeness can be recovered by implementing encryption 
with a scheme that is authenticated. Informally, an encryption scheme is au¬ 
thenticated if an adversary cannot produce a valid ciphertext different from 
ciphertexts honestly produced by the parties that posses the encryption key. 
Gligor and Horvitz IHC03I further refine this completeness result. They in¬ 
troduce a new security criterion for encryption schemes, weak key-authenticity 
test for expressions (WKA-EXP), which is strictly weaker than authenticated 
encryption. WKA-EXP is both sufficient and necessary for completeness. 

2.2.2 Public-key encryption. 

In IHerOSI IHer05l , Herzog shows a similar result as Abadi and Rogaway, but for 
public-key encryption. Patterns are generalized in the expected way for expres¬ 
sions that use public-key encryption. The problem of key-cycles also persists 
in this setting. To define a key-cycle of an expression M in the public-key set¬ 
ting one constructs a graph Gm- the set of vertices is the set of public/private 
key pairs {(pubKi,privKi ),..., {pubK n ,privK n )}\ there exists an edge from 
( pubKi,privKi ) to ( pubKj,privKj ) if pubKi encrypts privKj in M. M has no 
key-cycle if Gm is acyclic. Herzog presents a soundness theorem, similar to the 
one of Abadi and Rogaway, whenever the encryption scheme used for the com¬ 
putational interpretation provides indistinguishability under chosen-ciphertext 
attacks (IND-CCA2 security). 

2.2.3 Composed keys. 

In ILC04| . Laud and Corin extend the original soundness theorem to allow 
arbitrary expressions as keys. The tricky part is again to handle key-cycles 
correctly. As arbitrary expressions are used in the position of keys, the definition 
of what is a key cycle is not obvious. Rather than giving an explicit definition 
of what is a key-cycle, key-cycles are directly captured in the formal equivalence 
relation. More precisely, an expression is not formally equivalent to its pattern 
whenever a “key-cycle” is present. For instance, {(Ki, K2 )}(k 1 ,k 2 ) ^ D and 
({Ai}(x 1 ,x 2 >,{A 2 }(^ 1 ,if 2 >) ^ <□,□)• However, {I<i}( KlyK2 ) = □, because the 
second part of the key K% is never encrypted. 
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2.2.4 Handling key cycles. 

Key cycles have gained a lot of attention in the context of computational sound¬ 
ness. The reason is that there is an inherent difference between their treatment 
in symbolic models (where such cycles do not cause any troubles) and the com¬ 
putational model (where standard security definitions do not guarantee security 
in presence of key-cycles.) There are two natural approaches to reconcile this 
apparent difference. 

One possibility is to strengthen the symbolic attacker. This is the direction 
explored by Laud in |Lauf)2l . The idea is to modify the symbolic deduction 
relation so that whenever a key occurs in a key cycle then it becomes known 
to the attacker. Laud shows an unconditional soundness theorem in the style 
of Abadi and Rogaway (unconditional in the sense that formal expressions may 
contain key cycles). 

The second possibility is to strengthen the computational notion as to guar¬ 
antee security even in the presence of key-cycles. This is the approach adopted 
in IAbhMorI . Adao et al. They consider a stronger security notion, called key- 
dependent message (KDM) security which demands security even in the presence 
of such cycles. They show that soundness holds in a public-key setting in the 
presence of key cycles when a KDM secure encryption scheme is used for the 
computational interpretation of encryption. They also prove a separation be¬ 
tween standard security notions (IND-CCA2) and KDM security and demonstrate 
that IND-CCA2 security is not sufficient to provide soundness in the presence of 
key-cycles. Schemes secure under the KDM notion can be easily constructed in 
the random oracle model, but schemes secure in the standard model seem much 
harder to construct. Recently, Boneh et al. IHHHQ081 demonstrated the exis¬ 
tence of an asymmetric encryption scheme secure under key dependent message 
attacks in a restricted sense: their scheme does not permit the encryption of 
messages that depend in arbitrary ways on the set of secret keys. 

In most of the other approaches, one has to assume that key cycles cannot 
be generated, even when the adversary interacts arbitrarily with the protocol. 
Whether a key cycle can be generated is undecidable in the general case but 
it has been shown to be NP-complete in the symbolic setting, for an active 
adversary and a bounded number of sessions [TlZOfil . 

2.2.5 Partial information leakage and information theoretic security. 

Adao et al. )ABSf)5l consider different computational implementations of the 
encryption function. In particular they show soundness and completeness when 
which-key and length-key revealing encryption schemes are used. A which-key 
revealing encryption scheme allows the adversary to detect when two cipher- 
texts have been encrypted with the same key. At the symbolic level this is 
reflected by indexing the boxes with the encryption key, yielding a more precise 
equivalence relation. For instance, pattern({0 }k) = D/c and hence we have 
that ({0}if, {1}k) ^ ({0}ic, {l}if')- A length-key revealing encryption scheme 
allows the attacker to learn the length of the plaintext. At the symbolic level 
the boxes are indexed with the length of the plaintext to reflect this partial 
information leakage. 

The authors also consider the case where encryption is implemented by a 
one-time pad. Whenever encryption keys are only used once they show that one 
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obtains soundness and completeness with respect to an information-theoretic 
setting. In such a setting the equivalence is the equality of the probability 
distributions rather than indistinguishable by a polynomial-time bounded ad¬ 
versary. 

2.2.6 Hash functions. 

Garcia and van Rossum |GvR06| extend the Abadi-Rogaway logic to hash func¬ 
tions. Soundness theorems for hash functions are particularly tricky as in the 
symbolic model, hash functions do not leak any partial information about the 
hashed message. Typical computational security definitions for hash functions 
provide weaker guarantees, such as one-wayness. Garcia and van Rossum show 
a soundness result when hash functions are implemented using oracle hashing. 
Oracle hashing has been introduced by Canetti: it is a probabilistic hash func¬ 
tion which requires a verification algorithm to check whether a hash corresponds 
to a given message. These are hash functions that do hide all partial informa¬ 
tion about the message that is being hashed. In the journal version IOvR08j . 
they extend Micciancio and Warinschi’s completeness result to hash functions 
in a similar way. 

2.2.7 Modular exponentiation. 

Bresson et. al jBTMW07l give an extension of the Abadi-Rogaway logic with 
modular exponentiation. They show how to extend the notion of patterns in 
order to capture the information that is leaked through exponentiation, which 
are essentially linear dependencies between the various exponents. For exam¬ 
ple, the symbolic secrecy notion captures the idea that an adversary can observe 
that in the expression (g x ,g y , g 2x+v ) the third term can be obtained by squaring 
the first one and multiplying it with the second. Non-linear relations, as in the 
expression (g x , g y , g x+xy ) , cannot be observed by the adversary. The soundness 
for the resulting language relies on a generalization of the Diffie-Hellman as¬ 
sumption. The authors also argue that in the most interesting situations, the 
authors show that the basic Diffie-Hellman assumption suffices. 

In the same vein than (BLMW071 . Mazare )Ma,7‘o7l fKM09j presents an exten¬ 
sion the Abadi-Rogaway logic with a bilinear pairing operation. Their soundness 
result assumes the hardness of the bilinear decisional Diffie-Hellman problem 
and an IND-CPA encryption scheme. The soundness result is illustrated on 
the Joux tripartite Diffie-Hellman protocol, as well as the TAK-2 and TAK-3 
protocols. 

2.2.8 Offline guessing attacks. 

In security protocols passwords or other weak data are often used as encryption 
keys. For such protocol an important security property is resistance to offline 
guessing attacks. In such attacks an attacker first collects (possibly by inter¬ 
acting with the protocol) some data. In a second phase, he guesses a password 
out of a dictionary. If the attacker has a means to verify that his guess was cor¬ 
rect using the data he had gathered, then the protocol is subject to a guessing, 
or dictionary attack. In |AW05a| . Abadi and Warinschi have shown soundness 
results for protocols that use password encryptions. They define the computa¬ 
tional security of a password encryption primitive: for any two passwords, any 
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polynomially bounded adversary, that is given these two passwords and given 
access to an oracle, encrypting samples drawn from a plaintext distribution, is 
not able to distinguish whether the oracle uses the first or the second password 
for encryption. They also define formal and computational security of expres¬ 
sions against offline guessing attacks in terms of indistinguishability. Then for 
symmetric, asymmetric and password encryptions with secure implementation 
they show two soundness theorems. The first one is an extension of the Abadi- 
Rogaway soundness theorem for indistinguishability. The second theorem states 
that whenever a formal expression E hides passwords, then its computational 
interpretation also hides passwords. These results hold for IND-CPA secure sym¬ 
metric and asymmetric schemes, and for password-based encryption schemes 
that “securely” encrypt keys and ciphertexts of the symmetric and asymmet¬ 
ric schemes. In addition, it only holds for expressions that do not contain key 
cycles. 

2.2.9 Cryptographically controlled access control to XML. 

A compelling application of computational soundness against passive adversaries 
was given by Abadi and Warinschi I AW Oil > AVV’iP . The focus of that work is 
the security of a scheme that uses encryption to enforce access control policies to 
XML documents. The scheme, designed by Miklau and Suciu [MS03| explains 
how to obtain from a given XML document and a given access policy a so-called 
protection: a partially encrypted XML document which enforces the original 
access policy. The guarantees for the scheme were rather informal. 

Abadi and Warinschi formalize the scheme using a symbolic language for 
expressions that extends the one of Abadi and Rogaway with secret sharing 
schemes. Then, they show that secrecy as demanded by the policy used to cre¬ 
ate a certain protection on an XML document is satisfied in a symbolic sense: 
data that should be secret according to the policy is symbolically secret in the 
expression that describes the protection. It then follows using the computa¬ 
tional soundness of the language for expressions that the same data is also 
computationally secret. The soundness results hold for implementations that 
use IND-CPA encryption schemes and n-out-of-n secure secret sharing schemes. 

2.2.10 Soundness against an adaptive adversary. 

Micciancio and Panjwani |MP05| show a soundness result for encryption and 
pairing in the presence of a slightly stronger, adaptive adversary. Soundness is 
defined through the following experiment. An adversary has access to a left- 
right oracle, which given on input two terms M\ and M 2 , returns a sample of the 
computational interpretation of Mb, where b is the challenge bit of the oracle. 
The adversary can interact with the oracle but is only allowed to submit queries 
such that the sequence of queries ..., (M-f, M|) sent to the oracle is 

such that {Ml,.. ., M{) is formally equivalent, i.e. has the same pattern up to 
renaming, to (M% ,..., M|). The adversary wins if he succeeds in outputting b 
with non-negligible probability. Note that the oracle is stateful and implements 
terms in a consistent way, i.e. if a key has been drawn in a previous query the 
same value is reused in subsequent queries. An adaptive adversary is strictly 
stronger than a purely passive one as he can choose his queries after having 
already obtained the implementation of some terms. On the technical level, the 
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fact of having an adaptive adversary raises the problem of selective decommit¬ 
ment which is overcome by imposing the following condition: if a key is used 
to encrypt a message it either must have been sent previously in plaintext or it 
never appears in plaintext. The usefulness of an adaptive adversary is illustrated 
by deriving computationally sound symbolic model for the analysis of multicast 
key distribution protocols. In this model, the adversary cannot directly interact 
with the protocol participants, but he can influence the control flow. 

2.3 Soundness of static equivalence 

Baudet, Cortier, and Kremer have considered a more general alternative to 
the approach described in the previous sections. They develop a framework 
in which symbolic secrecy is expressed in terms of static equivalence, a well- 
established equivalence relation from cryptographic pi- calculi JbUE()I 1 IBGK09I . 
This approach is more general in that it does not depend on a particular set of 
primitives. 

2.3.1 Abstract and computational algebras. 

Independence from a particular primitives is reflected in their use of an arbitrary 
abstract algebra to describe the messages exchanged in a protocol. The algebra is 
defined over a many-sorted first-order signature equipped with an equational the¬ 
ory. For instance, symmetric, deterministic encryption is modeled by the theory 
E enc generated by the classical equation E enc = dec(enc(x, y),y) = x. Equality 
between two terms is generally interpreted modulo the equational theory (de¬ 
noted =e for an equational theory E ). For example, dec(enc(m, k ), k) =E enc m. 
Given an abstract signature a computational algebra A is defined by associating 
to every sort s of the abstract algebra a set of bitstrings [s]^ C {0,1}* with 
an efficient procedure for drawing random elements, and to every function / a 
computational function [/] A . Given a symbolic term T, a distribution [T]^ 
is associated by drawing a random element of the corresponding sort for each 
name and replacing each function symbol by its computational counterpart. 

2.3.2 Security notions, soundness, and faithfulness. 

The two security notions which are considered are deducibility and static equiva¬ 
lence. Deducibility formalizes which are the terms that an attacker can compute 
from a given sequence of terms. Static equivalence models whether two se¬ 
quences of terms can be distinguished. Both deducibility and static equivalence 
are parameterized by an equational theory. In this approach, static equivalence 
replaces the pattern-based formal equivalence. 

To reason about the soundness of implementations Baudet et al. define 
soundness for the three relations =e,^~e and «£\ Soundness of =e means that 
whenever two terms are symbolically equal (modulo E), any sample drawn from 
the distribution implementing those terms should be equal with overwhelming 
probability. Soundness of =e is generally a hypothesis which reflects that the 
equational theory is a reasonable abstraction of the primitives. Similarly, they 
define soundness for deducibility and static equivalence. When a term is not 
deducible from a sequence of terms, then an attacker given the distribution im¬ 
plementing the given sequence of terms, should be able to output a sample of the 
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distribution implementing the term with only negligible property. When two 
sequences of terms are statically equivalent, then the distributions associated to 
these sequences should be indistinguishable. 

Faithfulness of those three relations on the other hand represents a strong 
version of completeness. Whenever two terms are not equal, a term is deducible 
or two sequences of terms are not statically equivalent, a computational adver¬ 
sary can show this with overwhelming probability (rather than non-negligible 
probability which would be completeness). Intuitively, when the relations are 
faithful, for any symbolic attack there exists an efficient computational attack. 

It is shown that for many theories «£-soundness implies all other notions of 
soundness and faithfulness. This emphasizes the importance of R^-soundness. 

2.3.3 Examples: groups, XOR, ciphers and lists 

In IBCK05|IBCK0Q| . Baudet et al. consider several equational theories to illus¬ 
trate their framework. First they show the R^-soundness of an equational the¬ 
ory modeling groups implies the hardness of several classical cryptographic prob¬ 
lems: the discrete logarithm, computational Difhe-Hellman, decisional Diffie- 
Hellman and RSA problems. Note that this is not a soundness result. It 
shows that any candidate implementation for R^-soundness requires at least 
the hardness of the usual cryptographic problems. Second, they show the un¬ 
conditional Rs^-soundness of a theory of XOR. The soundness proof reflects 
the unconditional security (in the information-theoretic sense) of the One-Time 
Pad. Finally, they show R^-soundness of a theory of ciphers and lists (ciphers 
are deterministic, length-preserving, symmetric encryption schemes). 

2.3.4 Soundness of offline guessing attacks and static equivalence. 

In AllW()(i . Abadi, Baudet and Warinschi use the framework of |BCK05I 
II1CK09I to show Ri^-soundness for an equational theory useful in the context 
of offline guessing attacks. This theory includes symmetric, and asymmetric 
encryption as well as pairing. A consequence of this soundness result is its ap¬ 
plicability to defining and reasoning about off-line guessing attacks in terms of 
static equivalence. The result is an intuitively appealing implication to compu¬ 
tational security against off-line attacks. 

2.3.5 Static equivalence vs formal indistinguishability relations. 

In (BMSOfij . Bana, Mohassel and Stegers argue that the notion of static equiv¬ 
alence is too coarse and not sound for many interesting equational theories. 
They introduce a general notion of formal indistinguishability relation. This 
highlights that soundness of static equivalence only holds for a restricted set 
of well-formed frames (in the same vein Abadi and Rogaway used restrictions 
to forbid key cycles). They illustrate the unsoundness of static equivalence for 
modular exponentiation. 

2.3.6 Adaptive soundness of static equivalence. 

The analogue of IMP05| , but for the setting where pattern based equivalence is 
replaced with static equivalence, has been provided by Kremer and Mazare fKM07l 
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who extend the framework of IflCKOhl . In this case, adaptive soundness is de¬ 
fined through an experiment. The adversary interacts with a left-right oracle, 
which given two symbolic terms, returns either a sample of the concrete imple¬ 
mentation of the first or the second term, according to the oracle’s challenge 
bit. As in [MP05| . the adversary is restricted to only provide queries such 
that the left-hand terms and the right-hand terms form two statically equiva¬ 
lent sequences, rather than pattern-equivalent sequences. They show adaptive 
soundness of static equivalence for an equational theory modeling modular ex¬ 
ponentiation (for a class of well-formed frames, hence not contradicting (BMS06I 
and under similar assumptions as in toLMWOTI '). as well as symmetric encryp¬ 
tion with composed keys which can be computed using modular exponentiation 
or exclusive or. 

2.4 Computationally secure information flow 

A different kind of soundness results have been obtained in the area of infor¬ 
mation flow. Informally, a program has secure information flow if the public 
outputs of the program do not leak information about its confidential inputs. 
Classically, information flow is defined as non-interference requiring that no in¬ 
formation, in the information-theoretic sense, is leaked. In particular such a 
definition forbids publishing the encryption of a confidential value. Allowing 
encrypted confidential values to be published is generally refered to as crypto¬ 
graphic declassification. 

Laud Lau na pioneered the area of computationally secure information flow. 
He proposes a computational definition of secure information flow in the pres¬ 
ence of a probabilistic polynomial time adversary. The programming language 
he considers contains assignment, loops, conditional, sequential composition and 
application of some operators. In particular the operators contain symmetric 
encryption and key generation. Laud presents a static analysis which ensures 
computational secure information flow assuming an implementation that uses a 
which-key and repetition-concealing IND-CPA encryption scheme. Two limita¬ 
tions of the paper are that keys can only be used at a key position, and not as 
data, as well as the fact that one must be able to decide statically whenever two 
variables contain the same encryption key. These two restrictions are relaxed 
in ILau03| by refining the static analysis. 

In |LV05I . Laud and Vene propose a computationally sound type system 
which ensures secure information flow. A similar approach is presented by Smith 
and Alpfzar fsXoel . A difference is that Smith and Alpfzar allow an explicit de¬ 
cryption operator (and hence require IND-CCA security to achieve soundness). 
However, they do not manipulate keys, but only consider a single key which is 
used for encryption and decryption, but never as plaintext. Courant, Ene and 
Lakhnech j(TFJ,07| also design a cryptographically sound type system. The basic 
data contain constants and uniformally sampled bitstrings. Operations include 
exclusive or and applications of deterministic, length preserving encryption, i.e. 
ciphers. As Smith and Alpfzar they consider a single key which is only used for 
encryption and decryption. Due to the deterministic nature of ciphers, which 
do not hide repetitions, subtle flows may still arise. Courant et al. show crypto¬ 
graphic soundness of their typing system under the hypothesis that encryption 
scheme respects the pseudo random permutation, PRP for short, security no- 
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tion. Moreover, the soundness result is shown in the concrete (or exact) model, 
rather than being asymptotic. 

An abstract model for reasoning about secure information flow is the frame¬ 
work of Askarov, Hedin and Sabelfeld for dealing with cryptographically-masked 
flows IAHS06I . Here, they consider an imperative language with encryption and 
decryption operations which comes with a non-deterministic semantics, avoiding 
reasoning about probabilities. In ILauOSj . Laud investigates the computational 
soundness of cryptographically masked flows and identifies the necessary restric¬ 
tions and cryptographic assumptions. In particular, symmetric encryption needs 
to satisfy length- and which-key concealing KDM, as well as a key-dependent 
message variant of plaintext integrity. Laud also suggests a simpler but equiv¬ 
alent model with a completely deterministic abstract semantics. The security 
definition in this model is based on Abadi and Rogaway’s pattern equivalence. 
The soundness result directly follows from [A 1311S0b| . discussed earlier in this 
survey. 


3 Computational soundness: the active adver¬ 
sary case 

The focus of the previous section was on the case where the adversary only 
observe the network traffic and tries to gain information about the secrets used in 
an execution. In this section we shift attention to the case of active adversaries, 
namely adversaries that can interfere with the execution of protocols. 

As explained in the previous sections the main abstraction used by symbolic 
models is to represent messages (that is bitstrings) by symbolic terms. A second 
abstraction which is quite important for the active setting is given by how 
adversarial capabilities are treated. 

In symbolic models, the adversary can build new messages using an a priori 
fixed set of symbolic inference rules. For example, he can get information from a 
encrypted messages only if he has the appropriate decryption key. On the other 
hand, in computational models the adversary is a probabilistic polynomial-time 
(p.p.t. for short) Turing machine. This captures the idea that a potential ad¬ 
versary can perform arbitrary computations while tampering with the protocol, 
provided it takes a reasonable , that is polynomial, time. In particular, this as¬ 
sumption captures the possibility that the adversary may try to guess secrets 
(e.g. keys). Note that in both models it is assumed that the adversary has 
complete control of the network: he can intercept, send and block messages. 
An additional gap between the symbolic and the computational models is in 
how security properties are specified. For example, secrecy is usually stated in 
symbolic models as a reachability property while in computational models, it is 
formalized as the indistinguishability of adversary views. 

In this section we survey three approaches developed to bridge the gap be¬ 
tween symbolic and computational models. Recall that the goal is to understand 
when security proved using symbolic models implies meaningful security prop¬ 
erties for protocols with respect to computational ones. These approaches are 
the trace mapping approach, the process mapping approach, and the simulation 
based approach. 
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3.1 The trace-mapping based approach 

3.1.1 Syntax. 

Messages are modeled by a term algebra, given with sorts. For example, the 
algebraic signature £ may contain sorts Nonce, Label, Ciphertext, Signature, and 
Pair for respectively nonces, labels, ciphertexts, signatures, and pair. Typical 
operations are pairing public key encryption {_}', and signing One 

may already notice a difference with the passive case as described by Abadi and 
Rogaway. Probabilistic primitives like encryption or signatures are now repre¬ 
sented with ternary symbols instead of binary symbols. The third argument 
explicitly models the randomness used in these primitives and allows one for 
instance to capture the fact that encrypting twice the same message m with the 
same key k yields different ciphertexts represented by {fc}„ and 

Protocols are specified using the algebra of terms constructed over the above 
signature from a set X of sorted variables. The messages that are sent by 
participants are specified using terms in Ts(X), the free algebra generated by 
X over the signature £. The individual behavior of each protocol participant 
is defined by a role describing a sequence of message receptions/transmissions, 
and a fc-party protocol is given by k such roles. 

It is worth emphasizing that the term algebra used in this setting is richer 
than the algebra typically used in automatic tools for security protocols. One 
important difference is that the latter typically omit the explicit randomness 
argument discussed above. Furthermore, the model uses different symbolic op¬ 
erations for signature and encryption. Quite often, the models for tools model 
signatures as encryptions with the decryption key. Nevertheless, it can be shown 
that under certain conditions security with respect to the simpler models implies 
security with respect to the richer models above ICHW06) . 

3.1.2 Execution models. 

Two types of executions are then defined for protocols: the symbolic and the 
concrete ones. In both models, the adversary has a complete control of the net¬ 
work: he can intercept, send and block messages. More precisely, the adversary 
can interact with the protocol through three kinds of actions. 

• corrupt (ai,..., ai): the adversary can corrupt parties by outputting a 
set of identities. He receives in return the secret keys corresponding to 
the identities. It happens only once at the beginning of the execution. 

• new(i, ai,..., afc): the adversary can initiate new sessions selecting the 
role i and the instantiation a± ,..., a*, for the agents involved in that ses¬ 
sion. 

• send(sid, m ): the adversary can send a message m to a target session sid. 

In the symbolic setting the honest parties and the adversary exchange ele¬ 
ments of a certain term algebra; the adversary can only send messages deducible 
from the previously received messages following the standard Dolev-Yao rules 
described in Figure 0] 

In the concrete execution model, the honest parties and the adversary are 
p.p.t. Turing machines and the messages that are exchanged are bit-strings and 
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Figure 1: Deduction rules for the formal adversary. 


depend on a security parameter rj (which is used, for example to determine the 
length of random nonces). A PKI-like setting is assumed such that the public 
keys of parties (those for encryption and signature verification) are accessible 
to all parties. Encryption and signing are implemented with an encryption 
scheme and a digital signature scheme respectively. Pairing is implemented by 
some standard (efficiently invertible) encoding function. Each time a session is 
initialized, random values are generated for the nonces of the session. 

3.1.3 Trace mapping. 

The trace mapping approach attempts to link directly concrete and symbolic 
executions lMW04bl . The idea is to show that any concrete trace is the image 
of a symbolic trace (with overwhelming probability). The first result of this 
kind establishes such a statement for protocols that use random nonces, party 
identities, pairing, and asymmetric encryption under the assumption that the 
encryption scheme satisfies indistinguishability under chosen ciphertext attacks 
(IND-CCA). We refer to a property of this type as a mapping lemma. Informally, 
the mapping lemma implies that all of the behaviors of concrete adversaries are 
captured by those of the symbolic adversaries. Consequently, any trace property 
such as authentication can be transferred from symbolic models to concrete ones: 
whenever a protocol satisfies (symbolically) a trace property it also satisfies the 
property computationally. 

3.2 Extensions 

3.2.1 Signatures. 

The mapping lemma has then been extended in a setting with signatures and 
variables of sort ciphertext (to allow ciphertext forwarding) in (CWflbj , provided 
that signatures are implemented using an existentially unforgeable scheme under 
chosen message attacks. A similar result has been proved in i.lLMO'ii where 
public key can also be sent in plaintext. They also propose a general criterion 
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for reducing the correctness of two cryptographic schemes to the correctness 
of each one. This is useful when proving soundness of symbolic models when 
several primitives are used. 

3.2.2 Hash functions. 

The mapping lemma has then been extended in If K K WPG] (removing signa¬ 
tures) to hash function implemented in the random oracle. A weaker criterion, 
called HASH, for hash is proposed in IJLM06I . It is shown that the mapping 
lemma holds for hash functions satisfying this criteria and for asymmetric en¬ 
cryption (implemented with an IND-CCA encryption scheme), provided that 
the protocol does not have temporary secret (each atomic value is either ini¬ 
tially known to the intruder or will never be revealed). The HASH criterion can 
be realized in the random oracle. However, it is not known whether an actual 
implementation realizes the HASH criterion. 

3.2.3 Non-Malleable Commitment. 

Galindo et. al. IGGvROS] have extended the mapping lemma to commitment 
schemes. Commitment schemes are used in protocols like zero-knowledge proofs 
or contract-signing. They consist of two phases: a first phase (commitment) 
where the principal commits to a message without revealing any information 
and a second phase (opening) where the principal reveals the message and it 
is possible to verify that it corresponds to the value committed during the 
previous phase. They abstract these primitives symbolically by introducing two 
functional symbols: 

corrr(_) : Term x Label —> Com 
dec'(_) : Term x Label —> Dec 

where Com and Dec are new sorts. The corresponding deduction rules are the 
two following rules: 

S \~ m S b dec r (?n) 

S b com r (m) Shm 

They show that the mapping lemma holds for asymmetric encryption and com¬ 
mitment provided that encryption is IND-CCA and that commitment is non- 
malleable against chosen commitment attacks (NMC-CCA). NMC-CCA is a 
definition of security for commitment schemes that they introduce in order to 
prove the mapping lemma. It intuitively means that an attacker cannot pro¬ 
duce a commitment C 2 related to another commitment c\ = com ri (mi) (where 
m\ is chosen by the attacker) even if it has access to an oracle that can open 
commitments. This security notion can be realized: Galindo et. al. propose a 
new commitment scheme that is NMC-CCA secure. 

3.2.4 Zero-knowledge proof. 

A zero-knowledge proof is a message or a sequence of messages that forms a proof 
of a statement x (e.g. “the message within the ciphertext contains two identical 
nonces”) that does not reveal any information besides that x is true. Zero- 
knowledge proofs can be used to prove various statements. Backes et. al have 
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introduced in BMU08 an abstraction of zero-knowledge proofs for symbolic 
models by introducing a small logic. A Formula is a Boolean formula over 
atomic formula ZKTerm defined by: 

ZKTerm = ek(ft) | a, | & | (ZKTerm. ZKTerm) | {ek(&)}zk Term 

The set of Term is enriched by a constructor ZK p(r,a,b) where F is a Formula 
and x denotes x ±,..., x n . Intuitively, R and r are the randomness used in the 
formula, a represents the secret values and b the public values. ZK p(r,a,b) is 
evaluated by replacing the a* by the aj, the ff by the bi and the pi by the r t . 

Backes and Unruh extend the mapping lemma in jBUOSj for this symbolic 
model of (non-interactive) zero-knowledge proofs by introducing a new definition 
for security of zero-knowledge proofs called symbolically-sound zero-knowledge 
proof system. This definition is rather involved. It is assumed that zero- 
knowledge proof are based on circuits and proofs that a particular circuit is 
satisfiable. Their new security definition requires in particular: 

• Extractability: out of a proof for a circuit C, it is possible to extract a 
witness, i.e. a solution for C. 

• Unpredictability: two independently produced proofs are different with 
overwhelming probability. 

• Extraction Zero-Knowledge: this property is designed to prevent an ad¬ 
versary from building a valid proof out of previous proofs. 

This definition can be realized by an existing zero-knowledge protocol defined 
by Groth and Ostrovsky mnnz. 


3.2.5 Linking cryptographic and symbolic secrecy. 

In the symbolic model, secrecy is naturally expressed as a trace property: a 
message is secret if it cannot be derived by the adversary. In the computational 
model however, typical definitions are much stronger. It is usually required 
that an attacker is not only unable to obtain the secret, but also any partial 
information about the secret (which is an indistinguishability notion). Typi¬ 
cally, secrecy of a nonce N in a protocol II is defined in cryptographic models 
using an experiment Exp^®^ ( 77 ) that we describe below. The experiment is 

parameterized by a bit b and involves an adversary A. The input to the exper¬ 
iment is a security parameter 77 . It starts by generating two random nonces no 
and n\ whose length depends on the security parameter. Then the adversary A 
interacts with the protocol II where the nonce N has been instantiated by nb 
according to the bit selection b. The adversary generates new sessions, sends 
messages and receives messages to and from these sessions (as prescribed by the 
protocol). In the end, the adversary is given no and n\ and outputs a guess d, 
which is the result of the experiment. The nonce N is computationally secret 
in II if for every p.p.t. adversary A its advantage 
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is negligible. 
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3.2.6 Pairing and asymmetric encryption. 

In 1CY\ 0~)l . it is shown that, in a setting with asymmetric encryption and pairing, 
whenever a nonce is deemed secret using symbolic techniques, then the nonce 
is secret with respect to the stronger, computational definition. 

3.2.7 Hash functions. 

In [JLMOfij , soundness of symbolic secrecy is extended to hash functions under 
the HASH criterion and for nonces that never appear under a hash function. 
Transferring the usual symbolic secrecy definition to indistinguishability is in¬ 
deed not possible when the target secret value appears under a hash function 
since, unlike ciphertexts, hashes have to be publicly verifiable, i.e., any third 
party can verify if a value h is the hash value corresponding to a given message 
m. Assume, for example, that in some protocol the hash h = h(s) of some secret 
s is sent in clear over the network. Then, while virtually all symbolic models 
would conclude that s remains secret (and this is also a naive assumption of¬ 
ten made in practice), a trivial attack works in computational models: given s, 
s' and h, compare h with h(s ) and h(s'), and therefore recover s. Cortier et 
al. fCKKWOG propose a new symbolic definition for nonce secrecy in protocols 
that use party identities, nonces, hash functions, and public key encryption. 
The definition is based on the concept of patterns presented in Section EU 
They show that nonces that are secret according to their symbolic criterion are 
also secret according to a standard computational definition (indistinguishabil¬ 
ity). The result holds for protocols implemented with encryption schemes that 
satisfy standard notions of security (IND-CCA), and for hash functions mod¬ 
eled as random oracles. They also show decidability (NP-completeness) of the 
symbolic secrecy criterion (w.r.t. a bounded number of sessions). 

3.3 Soundness of observational equivalence 

We have just seen that “computational secrecy” can be soundly abstracted by 
a trace property in symbolic models, in a number of particular cases. It is not 
clear, however, that such a property can be expressed as a trace property in gen¬ 
eral. More generally, several security properties cannot be defined (or cannot 
be naturally defined) as trace properties such as e.g. anonymity, privacy re¬ 
lated properties involved in electronic voting protocols jDKROfil , or strong (also 
called “black-box”) simulatability |BPW07bllKT08j . These security properties 
are usually formalized by indistinguishability properties. There is a well-known 
similar notion in concurrency theory: observational equivalence, introduced by 
Milner and Hoare in the early 80s. Two processes P and Q are observationally 
equivalent, denoted by P Q 1 if for any process O (a symbolic observer) the 
processes P\\0 and Q\\0 are equally able to emit on a given channel. This means 
that O cannot observe any difference between P and Q. It is shown in |CLC08| 
that computational indistinguishability in presence of an active attacker is im¬ 
plied by the observational equivalence of the corresponding symbolic processes, 
in the case of IND-CCA-2 symmetric encryption. 
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3.4 The simulation based approach 

A different approach towards relating computational and symbolic executions 
of protocols relies on the concept of simulatability. Roughly, security is defined 
by requiring that a real system that supposedly implements some cryptographic 
system, is as secure as an ideal version of the protocol/primitive (which typically 
is secure by construction). 

The concrete instance of such a simulation-based setting used in compu¬ 
tational soundness is that of reactive simulatability/universal composability, 
RSIM/UC in short CanOll IBPW07aI . This setting relies on a general model 
for (polynomial-time) executions of interactive asynchronous programs. Related 
models for such executions have been defined elsewhere, with a similar goal in 
mind. These works include those for a probabilistic polynomial time process cal¬ 
culus ll.MMSTSl lM RST01 1 IRMST041 IK MSTfllil . the model of Canetti |Can01| . 
more rigorously formalized and further refined using the framework of Task 
Structured Probabilistic Input/Output Automata (Task PIOAs) lCCK + 0fi| . 

The details of such models are outside the scope of this survey. We refer to 
the work of Kiisters et al. for a detailed analysis and comparison of the different 
existent frameworks jKDMR08| . 

As sketched above, the definition of security involved an ideal system main¬ 
tained by a trusted host TH. The real system is given by a set of interactive 
machines Mj, one for each user i. Both systems interact with an environment 
Env which should be thought of as protocols (or users) that provide input/obtain 
output to/from the system that is being analyzed. Furthermore, the interac¬ 
tion also involves an adversary Adv. In the real world, the adversary inter¬ 
acts directly with the system (i.e. it communicates directly with the machines 
Mi, M 2 ,..., M n ). In the ideal world, the communication between the adversary 
and the trusted host is mediated by a simulator Sim. The two different setups 
are described in Figure EJ 

We write (rather informally) TH | Sim | Adv | Env for the result of the 
execution of the ideal system, i.e. for the output of the environment. Similarly, 
we write (Mi||M 2 ||... \ \M n ) | Adv | Env for the result of the real execution. 

We say that Mi, M 2 , ■ ■ ■, M n RSIM/UC implements the system described 
by TH and we write M 1 HM 2 II ... | M n < RSIM TH if there exists a simulator 
Sim (that mediates the interaction between the adversary and the TH) such 
that no combination of environment and adversary can determine whether the 
interaction takes place in the ideal world, or in the real world: 

(3Sim)(VAdv)(VEnv) (TH | Sim | Adv | Env) 2* (Mi\\M 2 \\ ... \\M n ] Adv | Env) 

In the above, the notation = represents some version of indistinguishability (i.e. 
perfect equality, statistical closeness, or computational indistinguishability of 
distributions). 

3.4.1 Preservation of integrity properties. 

The intuition behind the above definition is that the protocol defined by ma¬ 
chines Mi, M 2 ,..., M n does not leak any more information to an adversary than 
the ideal version defined by TH, and thus the former is as secure as the latter. 
Usually, the security of the ideal system can be assessed by simple inspection, or 
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Ideal world Real world 


Figure 2: The RSIM setting: in the ideal world the interaction is between a 
trusted host TH, an adversary Adv, a simulator Sim, and environment Env. 
In the ideal world, the interaction is between an actual implementation of the 
protocol by machines Mi, M 2 , ■.., M n , and environment Env and an adversary 
Adv. The machines Mi, M 2 ,..., M n RSIM/UC implement the system defined 
by TH, if (3Sim)(VAdv)(VEnv) (TH | Sim | Adv | Env) S (Mi||M 2 || ... ||M„ 
Adv | Env) 


proved through some simple means, and the security of the real implementation 
thus follows. 

Importantly, security defined in the sense above is composable: if M = 
Mi||M 2 || ... ||M„ is such that M < RSIM TH then M can be replaced in a 
system by the combination TH | Sim without changing the behavior of the 
system. In particular, properties of the ideal system should also be satisfied by 
the implementation llf.lP02f . 

3.5 A composable cryptographic library 

The framework for reactive simulatability sketched in the previous section has 
been used by Backes, Pfitzmann, and Waidner to obtain computational sound¬ 
ness results. They define an ideal cryptographic library Lib ldeal which offers an 
interface through which programs can manipulate data. Commands that can be 
passed to the library include the ability to generate nonces and cryptographic 
keys, to encrypt and decrypt messages, to generate and verify signatures etc. 
The internal workings of the library, i.e. the semantics of all of the commands 
is entirely deterministic, and is based on the ideas behind Dolev-Yao mod¬ 
els. Roughly speaking, Lib ldeal maintains an internal database of symbolic terms 
which the programs can manipulate via handles to these terms which it obtains 
from the library. A party would be able to obtain the plaintext in an encryption 
only if it has handles to both the term that represents the encryption and to the 
appropriate decryption key. Importantly, since the final goal is to relate Lib ldeal 
with a real implementation, the library needs to keep track of all the various 
pieces of information which real cryptographic primitives may leak. The reason 
is that the environment would be able to tell the difference between the real 
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and the ideal executions by observing such leaks. Typical examples include the 
length of encrypted plaintexts, as well as the length that corresponds to the 
ideal terms in a real instantiation. In the context of the reactive simulatabil- 
ity setting presented in the previous section, Lib ldeal plays the role of the ideal 
system, i.e. that of TH. 

To obtain computational soundness it is sufficient to exhibit a real imple¬ 
mentation, i.e. a library Lib real implemented with actual cryptographic primi¬ 
tives, which offers the same interface as Lib' deal such that Lib real < RSIM Lib ldeal . 
In IBPW03a| Backes, Pfitzmann, and Waidner exhibit an ideal, and a real li¬ 
brary that are related as described above. The cryptographic operations con¬ 
sidered in IBPW03ai are nonce generation, asymmetric encryption, and digital 
signatures. The main result is that Lib real < RSIM Lib ldeal provided that the dig¬ 
ital signature scheme is memory-less (a signature does not leak any information 
about previous signatures) and existentially unforgeable under chosen message 
attack and the encryption scheme is IND-CCA secure. 

3.5.1 Message authentication codes(MACs). 

The above result had been extended to a library that includes message authen¬ 
tication codes [BPW03h] . The security condition under which the desired result 
holds is that the MAC used in the implementation of the real library is exis¬ 
tentially unforgeable under chosen message attacks. In addition, given a tag 
created by the MAC scheme, it must be possible to fully recover the message 
to which it corresponds, and it must be possible to determine whether two tags 
have been created under the same key or not, even if one does not posses the 
key. Finally, the protocol where the MAC is used has to append a random nonce 
to the message which is MACed. 

3.5.2 Symmetric encryption. 

Subsequent work introduced symmetric encryption among the primitives that 
the simulatable cryptographic library offers jBPOibj . A RSIM/UC relation be¬ 
tween the resulting ideal system and a concrete realization requires several re¬ 
strictions on the way the library is used by the surrounding protocol. We only 
list some of them. First, they of course forbid encryption cycles by assuming 
a key hierarchy based on the order in which keys are used for encryption for 
the first time. Second, an important issue with symmetric encryption is the 
so-called commitment problem which appears when a key is used for encryption 
and is later revealed. Thus it is assumed here that keys are never revealed after 
being used. Third, they assume authenticated encryption schemes (i.e. the ad¬ 
versary is not able to compute a ciphertext that can be validly decrypted with 
an unknown specific key) and they assume that ciphertexts are tagged with key 
identifiers. 

3.5.3 Transferring secrecy properties via RSIM/UC. 

As discussed in previous sections, in symbolic models secrecy properties can be 
expressed as trace properties, while in computational models they are not. Thus, 
transference of secrecy properties does not follow from the preservation theo¬ 
rems proved for integrity properties. The result that symbolic secrecy implies 
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computational secrecy for the cryptographic library described above appears 
in mm- The result holds for payload data, and for symmetric keys (which 
had not been used for encryption or authentication), i.e. nonces. The precise 
formulation of computational secrecy is indistinguishability based, and is similar 
to the one for the trace mapping approach. 

3.5.4 Impossibility of results of RSIM/UC soundness. 

The strong relation imposed between the ideal and the real system by the 
RSIM/UC relation leads to several impossibility results. In iBPOoaj . Backes 
and Pfitzmann offer impossibility results for an ideal library that contains a 
model for XOR. The results are rather general, in that they are not for a fixed 
abstraction of XORs. Instead, they show that if such a library is rich enough 
to allow the specification of some simple protocols where secrecy of some piece 
of data is desired, then a RSIM/UC concrete realization would imply that the 
library itself is not abstract: using the library one is able to compute concrete 
cryptographic functions, e.g. signatures. To complement the impossibility re¬ 
sults, the authors show soundness for the case of passive adversaries. 

A second impossibility result, reminiscent of the restrictions imposed for the 
case of symmetric encryption, has been obtained for the case of hashes [BPWOBj . 
The authors show several impossibility results for various restrictions on the 
class of protocols that one is able to specify. The impossibility results hold for 
essentially all natural abstractions of (one-way) hash functions. 

3.5.5 Key Dependent Message security. 

As observed as early as the initial work of Abadi and Rogaway, settings where 
key-dependent encryption occur either in normal executions of protocols, or 
due to the malicious activities of the adversary pose a real problem to com¬ 
putational soundness, especially when encryption cycles occur. The problem 
is that although such settings are smoothly treated via symbolic methods, in 
computational models it may be the case that encryption breaks completely. 
Two possible work-arounds the problem is to either prohibit the occurrence of 
such situations (e.g. via syntactic restrictions on the protocols that are ana¬ 
lyzed or via checking symbolically that an adversary cannot obtain key cycles 
while interacting with the protocols ICZ06I 1 or to require that in computational 
settings encryption is stronger and does not break even when used in such more 
esoteric ways. 

The second approach has recently been taken by Backes, Pfitzmann, and 
Scedrov IBPS08I. They build on the earlier work of Black, Rogaway, and 
Shrimpton IBRSf)2| and put forth a security notion for encryption that takes 
into account key-dependent message attacks. They show that the notion can 
be achieved in the random oracle model, and show that the notion is indeed 
sufficient to obtain soundness for the BPW cryptographic library, even when 
encryption cycles occur. 

3.5.6 Simulatability implies trace mapping. 

The first work that investigates the relation between the trace mapping ap¬ 
proach and the one based on reactive simulatability is by Backes, Diirmuth, 
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and Kiisters mm- They show that if two systems are related in the sense 
of the latter, then a relation in the sense of trace mapping also holds. 

3.5.7 Case studies. 

The applicability of the above described cryptographic library has been illus¬ 
trated on a number of case studies. In IBP031 lBP04al . Backes et al. give a 
cryptographically sound proof that the Needham-Schroeder protocol satisfies 
authentication using the ideal library. More precisely, they show that an honest 
participant A only successfully terminates a protocol with an honest participant 
B if B has indeed started a protocol with A. Backes et al. have also analyzed 
the Otway-Rees protocol |Bac m, which relies on symmetric encryption. There¬ 
fore the security proof also needs to show the absence of the above discussed 
commitment problem. Moreover, a confidentiality property of the established 
key is shown. The confidentiality property shown here is not cryptographic key 
secrecy, but ensures that an adversary can never obtain a handle to that key, 
which is close to deducibility in symbolic models. 

In IBPOfiaj . the authors illustrate the use of their library for showing cryp¬ 
tographic key secrecy, relying on their secrecy transferring result jBP05bf de¬ 
scribed above. They study the Yahalom protocol. The first remark is that 
cryptographic key secrecy, i.e. indistinguishability of a real and a random key, 
is not guaranteed by the Yahalom protocol as it ends with a key confirmation. A 
slightly simplified version, omitting the last message, is then shown to guarantee 
key secrecy. 

The approach is also illustrated on more complex protocols. In jBPflbj . a 
correctness proof of an electroni c paym ent protocol, a slight simplification of the 
3KP protocol, is given. In iBMP+Ofil . a web serv ice protocol, the WS-Reliable 
Messaging scenario is analyzed and in I K'.I (H i security proofs are given for 
the Kerberos 5 protocol. 

The above discussed case studies rely on hand proofs, but it is argued that 
the proofs in the ideal system are in the scope of existing automated tools. 

3.6 Towards automated proofs of simulatability 

Several results study the automation of proof of simulatability in the context 
of the simulatable cryptographic library of Backes, Pfitzmann and Waidner. 
Laud Lau05l proposes a type system for checking secrecy of messages handled 
by protocols. He defines a language for cryptographic protocols, similar to the 
spi-calculus 11A 097] tailored to the BPW cryptographic library for symmetric 
and asymmetric encryption. He presents a type system such that if a protocol 
types then it preserves the secrecy of the messages given to it by the users. 
In IBL06I , Backes and Laud propose a mechanized approach (implemented as a 
tool) for proving secrecy of payloads data in cryptographic protocols modeled in 
the framework of iLaiiOril . for an unbounded number of sessions using a typing 
system. 

In ISBB + 06rSBIfg3rSB08bl . Sprenger et al. formalize the BPW model in the 
theorem prover Isabelle/HOL for public-key encryption. Since this model is too 
complex to directly analyze protocols, they propose several cryptographically 
sound abstractions of the initial model, providing a proof of the soundness of the 
abstractions within the Isabelle/HOL prover. As a case study, they show how 
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the more abstract models can be used for proving the security of the Needliam- 
Schroeder-Lowe protocol [Low96j . 

Canetti and Herzog fCHO^ define a mapping between protocols that use 
public key encryption, in the UC-framework, and symbolic protocols such that 
the concrete protocol realizes mutual authentication functionality if and only 
if its translation fulfills the symbolic mutual authentication criteria. For the 
key exchange functionality, they propose a new symbolic criteria such that 
a concrete protocol realizes the key exchange functionality if and only if its 
translation fulfills the new symbolic criteria. Then they apply an existing tool 
(ProVerif IlllaOll ) to verify whether or not the key exchange criteria is satisfied 
by known protocols. 


4 Computational sound proof systems and log¬ 
ics 

In this section we consider cryptographically sound proof systems. These sound¬ 
ness results are of a rather different flavor. They do not show a general mapping 
lemma ensuring that any computational trace corresponds to a symbolic trace 
with overwhelming probability. They rather prove that any property which can 
be proved in a symbolic setting also holds in the computational setting with 
overwhelming probability. 

4.1 Computational Protocol Composition Logic 

The Protocol Composition Logic, PCL for short, is a Floyd-Hoare like logic 
for proving properties of security protocols in a compositional way. The logic 
includes a modal operator ip[P]x<p which intuitively means that if the pre¬ 
condition ip holds and participant X executes protocol actions P then the post¬ 
condition ip will hold. Protocols are described using a simple calculus for spec¬ 
ifying roles. A role is a sequence of actions including new nonce generation, 
send, receive and application of cryptographic functions. The logic comes with 
a number of axioms and proof rules which implicitly assume the presence of a 
Dolev-Yao like active adversary. As an example, the two proof rules 

V? V => ip ip[Pi]xO 0[p2]x<P 

tp ip[P 1 P 2 }x<P 

allow sequential composition, given that the post-condition of a first protocol 
implies the pre-condition of a second protocol. The logic also allows assume- 
guarantee-like parallel composition: provided that invariants of protocol P\ are 
preserved by protocol P 2 and vice-versa, properties are preserved by the parallel 
composition of P\ and P 2 . One may note that composition is conditional in PCL 
as opposed to the universal composability described in Section 1301 Giving a 
complete account of the logic is beyond the scope of this paper. A survey on 
PCL and the numerous case studies carried out in this framework can be found 
in ilD 1) M R.071 . 

In IDDM+051 . Datta et al. define Computational PCL , CPCL for short, by 
giving a computational semantics for a variant of PCL. The protocols are hence 
executed in the presence of an arbitrary PPT adversary. In [1)1) M + (fb! the only 
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cryptographic primitive is asymmetric encryption and the logic is equipped with 
two new predicates, Indist and Possess. Intuitively, Indist expresses that a nonce 
is computationally indistinguishable from a random nonce, for an arbitrary ac¬ 
tive adversary that is allowed to interact with the protocol. Possess is used to 
model that a bitstring corresponding to a given term cannot be built by the 
adversary using Dolev-Yao deduction rules, i.e. it supposes a fixed algorithm 
for constructing this bitstring rather than an arbitrary PPT algorithm. The 
main result of the paper is a soundness result showing that if a formula can 
be deduced using the axioms and proof rules and if the encryption scheme is 
IND-CCA-2 secure, then the formula holds with overwhelming probability in the 
computational semantics, i.e. in the presence of an arbitrary PPT adversary. 
The logic and soundness result has been substantially extended in the following. 

In DDMWOfi] the logic is extended for proving the security of key exchange 
protocols. As already noted, cryptographic key secrecy, stating that a key is 
indistinguishable from a random key, is too strong if the protocol contains a key 
confirmation step or if the key is to be used by another protocol. Therefore, a 
new, weaker security property called key usability is presented. Intuitively, key 
usability holds if the established key can be used safely afterwards. The defini¬ 
tion is therefore parameterized by the intended use of the key. More precisely, 
the property is formalized by an experiment involving a two-stage adversary 
(Ae,A c )' in the first phase A e interacts with the key exchange protocol; in 
the second phase the adversary A c receives state information of A e and plays 
a security game, e.g. IND-CPA. The definition is illustrated by showing the 
security of the ISO-9798-3 key exchange protocol, followed by a secure session 
using the exchanged key. The secure session requires the use of an IND-CPA 
secure symmetric encryption key. The case study also required the extension 
of the logic and soundness theorem to symmetric encryption, Diffie-Hellman 
exponentiation and secure signature schemes, requiring respectively IND-CPA 
secure symmetric encryption, the decisional Diffie-Hcllman assumption and a 
CM A secure signature scheme. 

In IRDDM07] , Roy et al. define a trace-based property, called secretive , which 
is suitable for inductive and compositional proofs. This property guarantees a 
black-box reduction from attacks on the protocol to attacks on the underlying 
primitives. Moreover this property implies computational secrecy properties 
(which is not a trace based property) including key indistinguishability and key 
usability. The result is illustrated by giving formal proofs of computational au¬ 
thentication and secrecy of Kerberos V5. In |RDMf)8| . Roy et al. further refine 
the logic for studying Diffie-Hellman based key exchange protocols. The tech¬ 
niques are illustrated on the initial authentication of Kerberos V5 and IKEv2, 
which is the IPSEC key exchange standard. 

Gupta and Shmatikov IGS05) also study a variant of PCL tailored to the 
analysis of key exchange protocols. The fragment they consider only contains 
signatures and a restricted form of Diffie-Hellman exponentiation, which re¬ 
quires the exponentiations to be signed. The security property they consider 
differs from the work discussed just above. Gupta and Shmatikov consider 
indistinguishability of the key exchange protocol and an ideal key exchange 
functionality together with a simulator. They define a symbolic criteria which 
under standard security definitions (DDH and CM A) implies that for any com¬ 
putational adversary, there exists a simulator, such that the transcripts of the 
adversary interacting with the real and the ideal system are indistinguishable. 
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The method is illustrated on the authenticated Diffie-Helhnan key exchange 
protocol. In iGSoel . they refine their results to allow adaptive corruption of 
long-term secrets (but not strong adaptive corruption which reveals the entire 
internal state of corrupted participants, rather than just the long term secret). 

4.2 Static analysis techniques 

In ILau m, Laud presents static analysis techniques which are computationally 
sound for protocols that use symmetric encryption in order to show computa¬ 
tional secrecy properties. The protocols are described in a basic programming 
language which allows sending and receiving messages and application of encryp¬ 
tion and decryption functions, manipulation of tuples, random number genera¬ 
tion and equality testing. The technique consists in a protocol transformation, 
which is correct in the sense that an incorrect protocol is never transformed into 
a correct protocol. To achieve correctness the symmetric encryption scheme is 
supposed to be IND-CCA and to provide ciphertext integrity. The protocol trans¬ 
formation mainly consists in removing unreachable code, replacing bitstrings by 
formal terms and encryptions by encryptions of sequences of Os. The result¬ 
ing protocol can then be analyzed using symbolic information flow techniques. 
These results have been further extended in ILT05| to protocols that use digital 
signatures. 


5 Computationally sound implementation of higher 
level symbolic constructs 

The work that we discuss in this section is conceptually close to computational 
soundness. All of these papers relate abstract symbolic languages and their 
concrete implementation in such a way that reasoning at the abstract layer 
yields meaningful results about the actual implementation. Unlike the papers 
discussed in previous sections, the abstract languages that are considered do 
not deal with cryptographic primitives explicitly, but use constructs or con¬ 
cepts that are security related. Cryptography is then used to ensure that the 
implementation reflects the security concerns captured at the higher level of 
abstraction. 

5.0.1 Secure channels. 

Adao and Fournet |AF06| introduce a process calculus-based language which 
has, as part of the core set of operations, built-in constructs that allow parties 
to 1) make use of certificates issued by authorities and 2) communicate on au¬ 
thenticated channels. At this level of abstraction, the use of cryptography is 
transparent, and the desired security properties of these constructs are captured 
by their semantics. In the next step the authors give an implementation of the 
two high-level constructs described above; both implementations are based on 
digital signatures and are rather straightforward. The authors prove a sound¬ 
ness result that relate the two levels of abstraction provided that the digital 
signature scheme used in the implementation is universally unforgeable under 
chosen-message attacks ICMH 88i and that the semantics of the abstract level is 
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preserved by the implementation. It is worth noting that the paper only studies 
authentication, and is not concerned with secrecy properties. 

Abadi, Corin, and Fournet |ACF06| define a process calculus which allows 
parties to create and use secure (that is, secret and authenticated) channels. The 
desired intuitive security properties are captured via the semantics that they 
attach to processes specified in this language. A standard notion of secrecy can 
be defined at this level, and a type system is used to reason about it. Next, the 
authors describe a lower-level language where cryptography occurs as part of the 
core operations that can be performed and give a distributed implementation 
for the abstract processes. Interestingly, the implementation and the results of 
the paper rely on a previous computational soundness result. Indeed, the low- 
level implementation language is essentially the one introduced by Laud |La,nf)5j , 
which we discuss in Section run Recall that programs written in this language 
that are typable preserve the secrecy of the messages sent by the honest parties. 
The result of Abadi, Corin, and Fournet build on the above. They prove that a 
typable process is translated into a typable program. It then follows, by Laud’s 
soundness result |Lauf)5l . that data which is secret at the abstract level is also 
secret at the level of the concrete implementation (according to a computational 
notion of secrecy). 

5.0.2 Information flow. 

Fournet and Rezk IFR08I investigate the use of cryptography for enforcing se¬ 
cure information flow for both confidentiality and integrity. In more details their 
result is as follows. They first give a simple programming language with an as¬ 
sociated language for specifying information flow policies. Satisfaction of such 
policies can be checked using a type system that they also design. Next, they 
give a lower-level implementation language which includes encryption and digi¬ 
tal signing as part of the primitives that can be used. The type system is such 
that programs that type-check do not have undesired information flow, compu¬ 
tationally. The main result of the paper uses a typed translation of abstract 
programs to concrete ones. They show that if the source program is typable 
then its translation is also typable. They conclude that the implementation 
satisfies non-interference against probabilistic polynomial time adversaries. 


6 The direct approach: formal cryptographic 
proofs 

Bruno Blanchet IBla06llBla07bl has designed a mechanized prover, named Cryp- 
toVerif, for security properties of cryptographic protocols. In contrast to most 
previous approaches, the tool does not rely on soundness results for symbolic 
model but directly automate the proofs made in cryptography, based on se¬ 
quences of games. The security property of protocol is specified as a game and is 
step by step reduced to the game defining the security of the cryptographic prim¬ 
itives. CryptoVerif handles shared-key and public-key encryption, signatures, 
message authentication codes, and hash functions. It provides a general strategy 
for transforming games. In case the strategy fails, it is possible to use an interac¬ 
tive mode where the user specifies by hand which transformation should be used. 
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The first version of CryptoVerif IBlaOdl IBla07bl was designed for secrecy prop¬ 
erty. It has then been extended for proving correspondence assertions [BlaOTaj . 
Correspondence assertions are useful for specify properties like authentication. 
The tool has been tested on several protocols from the literature (e.g. Otway- 
Rees, Needham-Schroeder shared-key, Denning-Sacco public-key). It has been 
recently used to analyze Kerberos 5, a full industrial protocol IB.TST08] , The 
CryptoVerif tool can also be used not only to automate security proofs of proto¬ 
cols but also to automate security proofs of cryptographic primitives, reducing 
their security to standard cryptographic assumptions BPOfib . To illustrate 
their technique, they show in particular that the Full-Domain Hash signature 
scheme enjoys unforgeability under chosen-message attacks (UF-CMA) under 
the assumption of (trapdoor) one-wayness of some permutations. 

There have also been symbolic proofs of security for cryptographic primitives. 
In |BCT04j Barthe et al. formalize the random oracle model and the generic 
model in the proof assistant COQ. This formalization is used by Tarento )Tar05l 
to machine-check a security proof of signature schemes against forgery attacks 
for arbitrary generic adversaries. In the same vein, Courant et al. JCDCEL081 
present an (incomplete) automated procedure for analyzing generic asymmetric 
encryption schemes in the random oracle model. More precisely, they define 
a programming language to specify generic encryption algorithms, i.e. encryp¬ 
tion algorithms that rely on generic one-way functions and hash functions. On 
top of this language they define a Hoare logic to establish invariants that allow 
the proof of IND-CPA security. They also present a syntactic condition which 
guarantees plaintext-awareness, which together with IND-CPA security implies 
IND-CCA-2 security. Although not complete the tool has been successfully ap¬ 
plied to the construction of Bellare-Rogaway 1993, of Pointcheval at PKC’2000 
and REACT. 


7 Conclusion 

In this paper we survey existing results that aim to bridge the gap between the 
two approaches used in security analysis. The direct approach is rather recent 
and work in this direction is in full swing. Currently, existent formalisms can 
tackle various game transformation based proofs. Two important directions that 
need to still be explored are game-based transformations based on rewinding 
(e.g. the techniques used in proving Schnorr signature schemes) and those based 
on hybrid arguments, where the number of hybrids depends on the security 
parameter. 

On the computational soundness side, there are also many questions still 
open. First, several primitives appear to be difficult to abstract (soundly) in 
symbolic models. An important example is that of hash functions. In symbolic 
models hash functions are usually represented by a free symbol (usually denoted 
by h). This formalization seems to account for very strong security properties 
that cryptographic hash functions do not necessarily have. Another example is 
that of symmetric encryption where symbolic models do not seem to capture 
accurately the associated cryptographic behaviors. 

Finally, most soundness results require strong security assumptions on the 
primitives (e.g. IND-CCA-2 encryption in the active case), and this may seem 
to be unavoidable. Indeed, it has been shown that weaker but still standard 
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assumptions may indeed compromise security (Warf)5| . Nevertheless, in practice 
it is not always possible to use strong secure primitives due to legacy or efficiency 
reasons. For example, one might need to use deterministic encryption, in which 
case the encryption scheme cannot be IND-CCA or even IND-CPA. It would be 
particularly interesting to see if it is possible to obtain computational soundness 
for weaker security assumptions on the implementation of the primitives. 
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